b'                     U.S. ENVIRONMENTAL PROTECTION AGENCY\n\n                     OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     Cloud Oversight Resulted in\n                     Unsubstantiated and\n                     Missed Opportunities for\n                     Savings, Unused and\n                     Undelivered Services, and\n                     Incomplete Policies\n                     Report No. 14-P-0332                   August 15, 2014\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                                Rudolph M. Brevard\n                                                    Charles M. Dade\n                                                    Albert E. Schmidt\n\n\n\n\nAbbreviations\n\nCFR           Code of Federal Regulations\nCIO           Chief Information Officer\nEPA           U.S. Environmental Protection Agency\nFAR           Federal Acquisition Regulation\nFY            Fiscal Year\nGSA           General Services Administration\nIaaS          Infrastructure-as-a-Service\nIPv6          Internet Protocol version 6\nIT            Information Technology\nNCC           National Computer Center\nNIST          National Institute of Standards and Technology\nOARM          Office of Administration and Resources Management\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nTIC           Trusted Internet Connection\n\n\n\nHotline                                        Suggestions for Audits or Evaluations\nTo report fraud, waste or abuse, contact us    To make suggestions for audits or evaluations,\nthrough one of the following methods:          contact us through one of the following methods:\n\nemail:    OIG_Hotline@epa.gov                  email:    OIG_WEBCOMMENTS@epa.gov\nphone:    1-888-546-8740                       phone:    1-202-566-2391\nfax:      1-202-566-2599                       fax:      1-202-566-2599\nonline:   http://www.epa.gov/oig/hotline.htm   online:   http://www.epa.gov/oig/contact.html#Full_Info\n\nwrite:    EPA Inspector General Hotline        write:    EPA Inspector General\n          1200 Pennsylvania Avenue, NW                   1200 Pennsylvania Avenue, NW\n          Mailcode 2431T                                 Mailcode 2410T\n          Washington, DC 20460                           Washington, DC 20460\n\x0c                                                                                                               14-P-0332\n                         U.S. Environmental Protection Agency                                             August 15, 2014\n                         Office of Inspector General\n\n\n                         At a Glance\n\nWhy We Did This Review              Cloud Oversight Resulted in Unsubstantiated and\nWe sought to determine\n                                    Missed Opportunities for Savings, Unused and\nwhether the U.S.                    Undelivered Services, and Incomplete Policies\nEnvironmental Protection\nAgency (EPA) had:                    What We Found\n(1) implemented its cloud\n                                    The EPA developed processes to monitor              Improved oversight could help\ninitiatives in accordance with                                                          the EPA achieve objectives for\nthe Federal Cloud Computing         cloud vendors. However, controls for the\n                                    EPA\xe2\x80\x99s cloud computing initiatives are               the million\xe2\x80\x99s spent for cloud\nStrategy and associated                                                                 services and identify potential\nrequirements, and                   incomplete and need improvement.\n                                                                                        cost savings.\n(2) developed formal processes      Specifically:\nto monitor cloud vendors.\n                                       \xef\x82\xb7 The EPA\'s policies and procedures for moving to the cloud are incomplete\nCloud computing describes a              and need improvement.\nbroad movement to treat                \xef\x82\xb7 The EPA\xe2\x80\x99s cost-benefit analysis did not adhere with guidance.\ninformation technology (IT)            \xef\x82\xb7 The EPA paid full price for services not performed.\nservices as a commodity with           \xef\x82\xb7 The EPA entered into a cloud infrastructure contract that could not be used\nthe ability to dynamically               to host applications because it did not meet federal requirements. Further,\nincrease or decrease capacity            there was no documented analysis to determine whether the EPA should\nto match usage needs. In                 continue with the contract.\nDecember 2010, the U.S. Chief          \xef\x82\xb7 The EPA had not performed an analysis to determine whether it would be in\nInformation Officer issued a             the EPA\xe2\x80\x99s best interest to convert its internal infrastructure to meet all of the\n\xe2\x80\x9cCloud First\xe2\x80\x9d policy requiring           National Institute of Standards and Technology essential characteristics of\nthat agencies default to cloud-          a cloud.\nbased solutions for new IT             \xef\x82\xb7 The EPA\xe2\x80\x99s Office of Environmental Information did not implement a strategy\ndeployments whenever a                   to evaluate the EPA\xe2\x80\x99s entire portfolio of IT applications to determine which\nsecure, reliable and cost-               applications can be consolidated, retired or moved to the cloud.\neffective cloud option exists.\n                                    As a result, the EPA paid $2.3 million for services that were not fully rendered or\nThis report addresses the           did not comply with federal requirements. Also, EPA management does not have\nfollowing EPA goal or               reasonable assurance that the agency\xe2\x80\x99s cloud initiatives will be effective,\ncross-agency strategy:              efficient, and in compliance with applicable laws and regulations.\n\n \xef\x82\xb7 Embracing EPA as a high-          Recommendations and Planned Corrective Actions\n   performing organization.\n                                    We recommend that the Assistant Administrator for Environmental Information\n                                    and Assistant Administrator for Administration and Resources Management\n                                    undertake a number of corrective actions to address deficiencies in the EPA\xe2\x80\x99s\nFor further information,            cloud computing initiatives, including: improving related policies and procedures;\ncontact our public affairs office   providing additional training and oversight to contracting officers; performing\nat (202) 566-2391.\n                                    documented cost-benefit analyses that are in compliance with federal\nThe full report is at:\n                                    requirements; and implementing a strategy to perform a documented analysis of\nwww.epa.gov/oig/reports/2014/       all the assets in the EPA\xe2\x80\x99s IT portfolio to determine which assets should be\n20140815-14-P-0332.pdf              consolidated, retired or moved to the cloud. The agency concurred with two of\n                                    the 11 recommendations. The remaining recommendations are considered\n                                    unresolved pending the agency\xe2\x80\x99s response to the final report.\n\x0c                       UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                    WASHINGTON, D.C. 20460\n\n                                                                                      THE INSPECTOR GENERAL\n\n\n\n                                             August 15, 2014\n\nMEMORANDUM\n\nSUBJECT:       Cloud Oversight Resulted in Unsubstantiated and Missed Opportunities for Savings,\n               Unused and Undelivered Services, and Incomplete Policies\n               Report No. 14-P-0332\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Renee Wynn, Acting Assistant Administrator and Chief Information Officer\n               Office of Environmental Information\n\n               Craig E. Hooks, Assistant Administrator\n               Office of Administration and Resources Management\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems\nthe OIG has identified and corrective actions the OIG recommends. This report represents the opinion of\nthe OIG and does not necessarily represent the final EPA position. Final determinations on matters in\nthis report will be made by EPA managers in accordance with established audit resolution procedures.\n\nThe offices responsible for areas covered in this report include the Office of Administration and\nResources Management\xe2\x80\x99s (OARM\xe2\x80\x99s) Office of Acquisition Management and the Office of\nEnvironmental Information\xe2\x80\x99s (OEI\xe2\x80\x99s) Office of Technology Operations and Planning.\n\nAction Required\n\nOARM indicated that it completed agreed-upon corrective actions associated with recommendations 2\nand 7 and we are closing those recommendations in our audit tracking system upon issuance of this\nreport.\n\nOEI\xe2\x80\x99s responses for recommendations 1, 3, 4, 5, 6, 8, 9, 10 and 11 did not provide sufficient information\non intended corrective actions to allow us to properly determine whether the intent of these\nrecommendations are satisfied. These recommendations will remain unresolved until OEI provides\nplanned corrective actions in response to the final report.\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this report\nwithin 60 calendar days. You should include planned corrective actions and completion dates for all\nunresolved recommendations. Your response will be posted on the OIG\xe2\x80\x99s public website, along with our\nmemorandum commenting on your response. Your response should be provided as an Adobe PDF file\nthat complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as\namended. The final response should not contain data that you do not want to be released to the public; if\n\x0cyour response contains such data, you should identify the data for redaction or removal along with\ncorresponding justification.\n\nWe will post this report to our website at http://www.epa.gov/oig.\n\x0cCloud Oversight Resulted in Unsubstantiated and                                                                         14-P-0332\nMissed Opportunities for Savings, Unused and\nUndelivered Services, and Incomplete Policies\n\n\n\n\n                                   Table of Contents\n\n Chapters\n   1   Introduction .........................................................................................................    1\n\n                 Purpose .....................................................................................................   1\n                 Background................................................................................................      1\n                 Scope and Methodology ............................................................................              3\n\n   2   Improvements Needed in Email Cloud Implementation....................................                                     5\n\n                 Improvements Needed for Email Cloud Analysis........................................                            5\n                 EPA Paid for Email and Collaboration Moving Services\n                     Not Received .....................................................................................          6\n                 Conclusions ...............................................................................................     7\n                 Recommendations .....................................................................................           8\n                 Agency Response to Draft Report and OIG Evaluation ..............................                               8\n\n   3   Improvements Needed in Infrastructure-as-a-Service\n       Cloud Implementation .........................................................................................            10\n\n                 IaaS Cloud Contract Could Not Be Utilized to\n                     Host Applications ................................................................................          10\n                 Analysis for Continued Use of IaaS Needs to Be Performed .....................                                  12\n                 Conclusions ...............................................................................................     14\n                 Recommendations .....................................................................................           14\n                 Agency Response to Draft Report and OIG Evaluation ..............................                               15\n\n   4   OEI Did Not Evaluate Whether Applications Could Be\n       Retired, Consolidated and Moved to the Cloud.................................................                             16\n\n                 OEI Did Not Evaluate Applications for Retirement,\n                     Consolidation and Cloud Migration......................................................                     16\n                 Conclusions ...............................................................................................     17\n                 Recommendations .....................................................................................           18\n                 Agency Response to Draft Report and OIG Evaluation ..............................                               18\n\n   5   Improvements Needed in Documented Processes for\n       Cloud Implementation .........................................................................................            19\n\n                 Cloud Computing Policies and Procedures Need Improvement .................                                      19\n                 Conclusions ...............................................................................................     20\n                 Recommendation .......................................................................................          21\n                 Agency Response to Draft Report and OIG Evaluation ..............................                               21\n\n\n\n                                                          -continued-\n\x0cCloud Oversight Resulted in Unsubstantiated and                                                                       14-P-0332\nMissed Opportunities for Savings, Unused and\nUndelivered Services, and Incomplete Policies\n\n\n\n   Status of Recommendations and Potential Monetary Benefits .............................                                     22\n\n\n\n Appendices\n   A    OEI Response to Draft Report and OIG Comments .......................................                                  24\n\n   B    OARM Response to Draft Report and OIG Comments ..................................                                      32\n\n   C    Distribution .......................................................................................................   37\n\x0c                                   Chapter 1\n                                   Introduction\nPurpose\n\n            We sought to determine whether the U.S. Environmental Protection Agency (EPA)\n            had: (1) implemented its cloud initiatives in accordance with the Federal Cloud\n            Computing Strategy and associated requirements, and (2) developed formal\n            processes to monitor cloud vendors.\n\nBackground\n\n            In December 2010, the U.S. Chief Information Officer (CIO) issued a\n            \xe2\x80\x9cCloud First\xe2\x80\x9d policy within the 25-Point Implementation Plan to Reform Federal\n            Information Technology Management published by the White House. In\n            February 2011, the U.S. CIO also issued the Federal Cloud Computing Strategy\n            that identified cloud computing as having the potential to play a major part in\n            achieving efficiencies in the federal government\xe2\x80\x99s information technology (IT)\n            environment. Efficiencies potentially improved by cloud computing include asset\n            utilization and the reduction of duplicative systems.\n\n            According to the National Institute of Standards and Technology (NIST), cloud\n            computing is a model for enabling convenient, on-demand network access to a\n            shared pool of configurable computing resources\xe2\x80\x94such as computer servers,\n            storage, software applications and Web services\xe2\x80\x94that can be provisioned and\n            released with minimal management effort or service provider interactions.\n            In other words, in a cloud environment, IT resources are available to users as\n            needed using a pay-as-you-go business model.\n\n            The Government Accountability Office has indicated that cloud computing can\n            potentially provide several benefits over current systems, including faster\n            deployment of computing resources, a decreased need to buy hardware or to build\n            data centers, and more robust collaboration capabilities. Per the Federal Cloud\n            Computing Strategy, cloud computing can also:\n\n               \xef\x82\xb7   Provide lower individual usage costs and centralize infrastructure costs via\n                   realized economies of scale.\n               \xef\x82\xb7   Allow users to pay for what they consume.\n               \xef\x82\xb7   Allow users to increase or decrease their usage.\n               \xef\x82\xb7   Leverage the shared underlying resources.\n\n\n\n\n14-P-0332                                                                                     1\n\x0c            Responsible Offices\n\n            The EPA\xe2\x80\x99s Office of Environmental Information (OEI) and Office of\n            Administration and Resources Management (OARM) have key responsibilities\n            regarding the EPA\xe2\x80\x99s migration to the cloud. Within those two offices:\n\n               \xef\x82\xb7   OEI\xe2\x80\x99s Office of Technology Operations and Planning provides technology\n                   services and manages the EPA\xe2\x80\x99s IT investments and infrastructure. The\n                   Office of Technology Operations and Planning oversees IT operations and\n                   security (including IT investment management), enterprise architecture,\n                   application development and hosting, high performance computing, and\n                   development of policies and standards to guide IT expenditures and\n                   operations.\n\n               \xef\x82\xb7   OARM\xe2\x80\x99s Office of Acquisition Management is responsible for planning,\n                   awarding and administering contracts for the agency, including issuing\n                   and interpreting acquisition regulations, administering training for\n                   contracting and program acquisition personnel, providing advice and\n                   oversight to regional procurement offices, and providing IT improvements\n                   for acquisition.\n\n            Guidance Issued\n\n            On January 24, 2011, the EPA\xe2\x80\x99s Assistant Administrator OEI (the EPA\xe2\x80\x99s CIO)\n            issued a memorandum in reference to the 25-Point Implementation Plan to Reform\n            Federal Information Technology Management published by the White House. The\n            memorandum established OEI\xe2\x80\x99s National Computer Center (NCC) as the agency\xe2\x80\x99s\n            focal point for acquiring cloud solutions and appointed OEI as the lead for\n            developing a cloud computing strategy for both private and public cloud usage.\n            Although the memorandum indicated that the NCC is the focal point for acquiring\n            cloud solutions, OEI indicated that this is only limited to efforts to provide cloud\n            services via the EPA\xe2\x80\x99s internal private cloud services provided by the NCC and\n            external cloud services obtained by the NCC via the General Services\n            Administration (GSA) Infrastructure as a Service (IaaS) Bulk Purchase Agreement.\n\n            The EPA\xe2\x80\x99s Assistant Administrator and CIO issued a memorandum on Cloud\n            Computer Services Security Requirements on September 6, 2011, to provide\n            information for when considering cloud computing solutions. The memo indicates\n            that the EPA needs to conduct control assessments on the cloud provider\xe2\x80\x99s systems\n            to determine what, if any, controls need to be implemented by the provider or by\n            the EPA. This memo also indicates that systems used by the cloud provider shall\n            obtain an Authorization to Operate by an EPA official before EPA information is\n            stored, processed or transmitted on the systems.\n\n            Additionally, the EPA\xe2\x80\x99s CIO approved a System Life Cycle Management Policy\n            and Procedure on September 21, 2012. The policy applies to systems developed on\n            behalf of the EPA by vendors irrespective of where the IT systems are hosted,\n\n\n14-P-0332                                                                                    2\n\x0c                 including cloud-based solutions. The System Life Cycle Management Procedure\n                 also indicated that if the application will be hosted in a cloud-based environment\n                 the system must adhere to the additional controls published by the Federal Risk and\n                 Authorization Management Program.1\n\n                 The EPA also issued Enterprise Roadmap 2012, which states that in fiscal year\n                 (FY) 2012 all of the EPA will be able to obtain cloud computing services from a\n                 GSA-authorized external cloud services vendor authorized for low-sensitivity\n                 applications and an EPA-hosted private cloud authorized for medium-sensitivity\n                 applications. The Roadmap indicated that OEI will provide support for evaluating\n                 cloud computing alternatives as part of the Capital Planning and Investment\n                 Control process, and will assist transitioning agency applications into the cloud\n                 computing infrastructure. Furthermore, the Roadmap stated that the EPA will\n                 default to cloud-based solutions whenever a secure, reliable and cost-effective\n                 cloud option exists.\n\nScope and Methodology\n                 We performed this audit from January 2013 to April 2014 at the EPA\n                 headquarters in Washington, D.C.2 We performed this audit in accordance with\n                 generally accepted government auditing standards. Those standards require that\n                 we plan and perform the audit to obtain sufficient and appropriate evidence to\n                 provide a reasonable basis for our findings and conclusions based on the audit\n                 objectives. We believe that the evidence obtained provides a reasonable basis for\n                 our findings and conclusions based on our audit objectives.\n\n                 As a part of this review, we looked at the following two EPA cloud initiatives:\n\n                     1. My Workplace: OEI awarded a vendor a contract to provide Software-\n                        as-a-Solution for an email and collaboration suite. This contract also\n                        requires the vendor to provide support for OEI\xe2\x80\x99s internal infrastructure\n                        used to host internal email and other applications. OEI has indicated that\n                        this infrastructure will not go away before 2019. Services provided by\n                        My Workplace include email, calendar, contacts, collaborative document\n                        editing and workspaces, Web conferencing, and other collaboration\n                        activities.\n\n                     2. Infrastructure-as-a-Service (IaaS) contract: The OEI awarded its IaaS\n                        contract through a GSA Blanket Purchase Agreement. The EPA plans to\n                        use this IaaS contract to make cloud computing resources available\n\n1\n  The Federal Risk and Authorization Management program is a governmentwide program that provides a\nstandardized approach to security assessment, authorization, and continuous monitoring for cloud products and\nservices.\n2\n  The audit was performed in Washington, D.C., but we conducted video and telephone interviews with EPA points\nof contact who are located in North Carolina.\n\n\n\n14-P-0332                                                                                                        3\n\x0c                   agencywide for low-sensitivity applications through the EPA\xe2\x80\x99s Working\n                   Capital Fund.\n\n            We reviewed the EPA\xe2\x80\x99s policies and procedures related to cloud computing to\n            determine whether they were aligned and implemented in accordance with federal\n            cloud computing policies. We limited the review of the My Workplace and IaaS\n            initiatives to: (1) planning of the projects, and (2) the extent of the use of these\n            cloud initiatives. We did not perform detailed reviews of the associated contracts.\n            We made inquiries to EPA regions and program offices to collect information\n            related to their plans for migrating applications from the EPA\xe2\x80\x99s infrastructure that\n            was used to host internal email. We analyzed the agency\xe2\x80\x99s key cloud computing\n            documents and related documentation. We examined the Federal Acquisition\n            Regulation (FAR) and guidance published by the Office of Management and\n            Budget (OMB) and NIST to gain an understanding of federal cloud computing\n            recommendations and requirements.\n\n            Further, we interviewed and collected documentation from OARM\xe2\x80\x99s Office of\n            Acquisition Management and OEI\xe2\x80\x99s Office of Technology Operations and Planning\n            management and staff responsible for planning, procuring, maintaining, and\n            monitoring the agency\xe2\x80\x99s cloud computing services. We found no significant\n            deficiencies associated with the EPA\xe2\x80\x99s monitoring of the cloud vendors.\n\n\n\n\n14-P-0332                                                                                      4\n\x0c                                              Chapter 2\n    Improvements Needed in Email Cloud Implementation\n                   The EPA\xe2\x80\x99s cost-benefit analysis of and modifications for the agency\xe2\x80\x99s email\n                   cloud computing implementation was not performed in compliance with EPA and\n                   federal guidance. OMB Circular A-94 Revised indicates that a cost-benefit\n                   analysis is recommended as the technique to use in a formal economic analysis of\n                   government programs and projects.3 The cost-benefit analysis included in-house\n                   costs normally excluded. Also, the OARM contracting officer did not negotiate\n                   and issue a written modification prior to performance and did not seek an\n                   equitable reduction in price to the contract for work not performed as specified in\n                   the contract, as required by the FAR.4 As a result, by including costs that would\n                   not normally be considered in a cost-benefit analysis, it is questionable whether\n                   the agency will realize the estimated savings used to justify moving email to the\n                   cloud. Additionally, inaction by the contracting officer resulted in the agency\n                   paying for services it did not receive.\n\nImprovements Needed for Email Cloud Analysis\n                   The EPA\xe2\x80\x99s cost-benefit analysis, included in the Collaborative Tools in the Cloud\n                   Business Case Presentation for migrating email and collaborative tools, dated\n                   April 2012, did not adhere with EPA and federal guidance. Table 1 shows the\n                   estimated costs OEI used in 2012 to justify its decision for not keeping email\n                   services in house and migrating email to the cloud. Using OEI\xe2\x80\x99s cost-benefit\n                   analysis, there is an estimated savings of $3,481,000, based on FY 2012 estimated\n                   costs derived from the Working Capital Fund billing rates as of April 2012.\n\nTable 1: OEI estimated cost projections\n                                                        FY 2013           FY 2014         FY 2015           Totals\n    OEI\xe2\x80\x99s estimated costs for keeping email\n                                                       $12,061,000      $12,061,000      $12,061,000     $36,183,000\n    services in house in FY 2012\n    OEI\xe2\x80\x99s estimated costs for moving email to\n                                                        14,221,000         9,454,000       9,027,000      32,702,000\n    the cloud\n    OEI\xe2\x80\x99s estimated savings                            ($2,160,000)      $2,607,000       $3,034,000      $3,481,000\nSource: Information provided by OEI.\n\n\n                   The EPA\xe2\x80\x99s System Life Cycle Management Requirements Guidance refers to\n                   OMB Circular A-94 Revised for guidance when performing a cost-benefit\n                   analysis. OEI\xe2\x80\x99s Business Case Presentation made April 2012 included the cost-\n                   benefit analysis that used working capital fund figures that included $2,142,000 in\n\n3\n    See OMB Circular A-94 Revised Section 5.\n4\n    The Code of Federal Regulations (CFR), in 48 CFR Subsections 42.302(b), 43.204(b)(2), 43.103, and 43.201.\n\n\n14-P-0332                                                                                                       5\n\x0c                  hardware costs used in the estimated cost of keeping the email services in house.\n                  OEI representatives indicated that these hardware costs included costs for\n                  administrative support and sunk costs such as hardware depreciation.\n\n                  Per OMB Circular A-94 Revised, these costs are not normally included and\n                  should be excluded from a cost-benefit analysis.5 The administrative cost is an\n                  indirect cost that cannot be assigned to one service but, rather, is a cost divided\n                  among all OEI services. Additionally, the depreciation cost reflects funds spent\n                  and is not a current cash expense. By including costs for the in-house alternative\n                  that would not normally be considered in a cost-benefit analysis, it is questionable\n                  whether the agency will realize the estimated savings indicated. Additionally, the\n                  cost-benefit analysis did not include a statement of the assumptions, the rationale\n                  behind them, and a review of strengths and weaknesses as required by OMB\n                  Circular A-94 Revised.6\n\n                  OEI pointed out that it believed that the email and collaborative tools cloud\n                  initiative was an acquisition of commercial-type services by government or\n                  contractor operation and was exempt from OMB Circular A-94 Revised. That\n                  circular indicates that OMB Circular A-76 Revised is the guidance for the\n                  acquisition of commercial-type services by government or contractor operation.7\n                  Subsequent to the issuance of the draft report, OEI indicated that they now\n                  believed OMB A-94 Revised was applicable.\n\n                  Since OEI did not perform a cost-benefit analysis that was in compliance with\n                  OMB guidelines, it is questionable whether the agency will realize its projected\n                  cost savings.\n\nEPA Paid for Email and Collaboration Moving Services Not Received\n                  The EPA paid for services not received on the contract to move the EPA\xe2\x80\x99s email\n                  and collaboration services to the cloud. The contract, as modified, included the\n                  requirement for the vendor to transfer all the EPA\xe2\x80\x99s email to the cloud within\n                  5 months of the award of the contract.\n\n                  After entering into the contract, OEI indicated that the vendor stated it could not\n                  transfer all of the email in the timeframe required by the contract. As a result,\n                  OARM\xe2\x80\x99s contracting officer orally allowed the vendor to transfer only 30 days\xe2\x80\x99\n                  worth of email. Even though the vendor did not perform the work agreed to in the\n                  contract, the contracting officer did not issue a cure notice8 or seek to renegotiate\n                  the price of the contract with an equitable reduction in price.\n\n\n\n5\n  OMB Circular A-94 Revised Section 6 subsection a.\n6\n  OMB Circular A-94 Revised Section 5 subsection c.3.\n7\n  OMB Circular A-94 Revised Section 4 subsection b.2.\n8\n  A cure notice notifies a vendor that it is in default of a contract. Cure notices specify failures and suggested cures.\n\n\n14-P-0332                                                                                                                   6\n\x0c                 In addition to paying the vendor full price for agreed-to services not performed as\n                 specified in the contract, the EPA is incurring additional costs for maintaining\n                 emails not migrated to the cloud. OEI indicated the cost of maintaining the old\n                 email was low, but was unable to provide the Office of Inspector General (OIG)\n                 with the annual cost. Additionally, OEI is planning to incur the annual cost of\n                 providing employees with access to the email that was not moved off of the legacy\n                 email platform until at least FY 2019.\n\n                 The FAR specifies that:\n\n                     \xef\x82\xb7   Contracting officers are responsible for ensuring performance of all\n                         necessary actions for effective contracting, ensuring compliance with the\n                         terms of the contract and safeguarding the interests of the United States.9\n\n                     \xef\x82\xb7   If repair/replacement or re-performance will not correct the defects or is not\n                         possible, the government may seek an equitable price reduction or adequate\n                         consideration for acceptance of nonconforming supplies or services.10\n\n                     \xef\x82\xb7   If the termination is predicated on the contractor failing to perform some\n                         of the other provisions of the contract (such as not furnishing a required\n                         performance bond) or so fails to make progress as to endanger\n                         performance of the contract, the contracting officer shall give the\n                         contractor written notice specifying the failure and providing a period of\n                         10 days (or longer period as necessary) in which to cure the failure. Upon\n                         expiration of the 10 days (or longer), the contracting officer may issue a\n                         notice of termination for default unless it is determined that the failure to\n                         perform has been cured.11\n\n                 OARM\xe2\x80\x99s contracting officer indicated that OEI did not request the negotiation of a\n                 lower price. As a result, the EPA paid full price for agreed-to services that were not\n                 performed as specified in the contract. In addition, the EPA has to incur additional\n                 costs of maintaining all email not transferred to the cloud on in-house systems until\n                 at least FY 2019. OEI was unable to provide the OIG with the cost of storing and\n                 providing access to the historic email that was not moved to the cloud.\n\nConclusions\n                 It is questionable whether the agency will realize its projected cost savings because\n                 the EPA did not perform a documented cost-benefit analysis in compliance with\n                 OMB guidance. Additionally, the EPA paid for services not received and incurred\n                 additional expenses without a written modification to the contract and without\n                 seeking an equitable reduction in price.\n\n\n9\n  48 CFR subsection 1.602-2.\n10\n   48 CFR Subsection 52.212-4 (a).\n11\n   48 CFR Subsection 49.402-3 (d).\n\n\n14-P-0332                                                                                                7\n\x0cRecommendations\n             We recommend that the Assistant Administrator for Environmental Information:\n\n                 1. Develop and implement an internal independent oversight process to\n                    ensure that documented cost-benefit analyses are performed in compliance\n                    with the proper OMB circular prior to OEI outsourcing IT initiatives.\n\n             We recommend that the Assistant Administrator for Administration and\n             Resources Management:\n\n                 2. Develop and conduct training and provide oversight to help ensure\n                    contracting officers:\n\n                       a. Issue cure notices when they become aware that a vendor will not\n                          meet its contractual obligations.\n                       b. Negotiate equitable price reductions when vendors are not able to\n                          fulfill their contractual obligations.\n                       c. Add written amendments to contracts for all contract modifications.\n\nAgency Response to Draft Report and OIG Evaluation\n\n      We received responses to the draft report from the OEI and OARM. Based on the OEI\n      and OARM responses, we made changes as needed. Appendix A contains the OEI\n      responses and appendix B contains the OARM responses, along with our comments.\n\n      OEI did not concur with recommendation 1 and offered an alternative recommendation.\n      We did not accept the proposed alternative recommendation. OEI did not provide\n      sufficient information to allow us to determine whether its intended action would satisfy\n      the intent of our recommendation. However, based on discussions with the agency, we\n      modified the recommendation to more clearly describe our intent.\n\n      In the draft report, we made a recommendation that OARM determine the difference in\n      cost between not moving all the email to the cloud within the agreed-to time frames, as\n      specified in the contract, and just moving 30 days of email, and seek an equitable\n      reduction in price. We evaluated OARM\xe2\x80\x99s comments and removed this recommendation\n      because OARM indicated in its response to the draft report that it had issued a written\n      modification for the change in scope subsequent to the OIG informing the Office of\n      Acquisition Management that the contracting officer failed to obtain a written\n      modification specifying that the contractor only move 30 days of email. This written\n      modification was issued within 1 month after the OIG notified OAM management that\n      the contracting officer failed to obtain the written modification for the change in scope,\n      almost 7 months after the oral agreement was reached, and almost 5 months after the\n      orally agreed-to change in scope was executed. We confirmed that the agency took the\n      stated actions. However, we were unable to verify that the modification would achieve\n\n\n\n14-P-0332                                                                                          8\n\x0c      the desired results due to the time constraints of the audit and the period of performance\n      of the contract.\n\n      OARM concurred with the remaining OARM recommendation in this chapter. This\n      recommendation is resolved and OARM indicated that it has taken actions to address the\n      recommendation. We confirmed that OARM took the stated action. However, due to the\n      time constraints of the audit, we were not able to validate that the actions achieved the\n      desired results.\n\n\n\n\n14-P-0332                                                                                          9\n\x0c                                             Chapter 3\n                   Improvements Needed in\n      Infrastructure-as-a-Service Cloud Implementation\n                 The EPA entered into and approved payments for an Infrastructure-as-a-Service\n                 (IaaS) contract that the EPA was not able to utilize for hosting applications\n                 because it did not meet federal requirements.12 Additionally, OEI has not\n                 performed documented analyses to determine whether the EPA should continue\n                 with this IaaS contract and/or upgrade its internal infrastructure to meet all of the\n                 NIST essential characteristics of cloud computing. The OMB and FAR establish\n                 requirements when contracting for IT services such as cloud services. OEI and\n                 OARM\xe2\x80\x99s Office of Acquisition Management did not follow or were unaware of\n                 specific requirements that impacted contracts associated with the EPA\xe2\x80\x99s cloud\n                 initiatives. As a result, there is no documentation to support whether it is in the\n                 EPA\xe2\x80\x99s best interest to continue with the IaaS contract and/or upgrade its internal\n                 infrastructure to meet all of the NIST essential characteristics of cloud computing.\n\nIaaS Cloud Contract Could Not Be Utilized to Host Applications\n                 The EPA entered into a contract with a GSA-approved external cloud provider for\n                 IaaS cloud computing services that could not be utilized to host applications\n                 because the vendor\xe2\x80\x99s cloud service did not meet the federal Trusted Internet\n                 Connections (TIC) and Internet Protocol version 6 (IPv6) requirements.13\n                 Furthermore, the EPA\xe2\x80\x99s information security procedures did not meet federal TIC\n                 requirements.14 Specifically, the procedure states that all remote access for\n                 moderate and high information systems be routed through a limited number of\n                 managed access control points and refers to OMB memoranda on the TIC. The\n                 EPA\xe2\x80\x99s information security procedures contradict the TIC Reference Architecture\n                 Document version 2, which specifies that all external connections are secured\n                 through a TIC access point.15 The objectives of the TIC initiative are to optimize\n                 and standardize the security of individual external network connections currently\n                 in use by federal agencies, including connections to the Internet; and to improve\n                 the federal government\xe2\x80\x99s security posture and incident response capability\n\n12\n   IaaS is a cloud infrastructure where the consumer is provided the capability to provision processing, storage,\nnetworks and other fundamental computing resources where the consumer is able to deploy and run arbitrary\nsoftware, which can include operating systems and applications. The consumer does not manage or control the\nunderlying cloud infrastructure but has control over operating systems, storage and deployed applications; and\npossibly limited control of select networking components (e.g., host firewalls).\n13\n   An Internet Protocol address is a unique number used to identify computers on a network. Internet Protocol\nversion 4, which had a limited number of Internet Protocol addresses, has become depleted. IPv6 was developed to\nestablish more levels of addressing hierarchy with a larger pool of Internet Protocol addresses.\n14\n   Information Security-Interim Access Control Procedures V3.2 (CIO-2150.3-P-01.1).\n15\n   The Department of Homeland Security\xe2\x80\x99s Trusted Internet Connections (TIC) Reference Architecture Document\nVersion 2.0 (September 1, 2011).\n\n\n14-P-0332                                                                                                       10\n\x0c                 through the reduction and consolidation of external connections and by providing\n                 enhanced monitoring and situational awareness of external network connections.\n                 The OIG concludes that entering into contracts and having procedures that do not\n                 comply with the TIC requirements puts the EPA at risk of not realizing the\n                 objectives of the initiative.\n\n                 OMB Memorandum M-05-22 originally set June 2008 as the date by which all\n                 agencies\xe2\x80\x99 infrastructures must use IPv6. Additionally, OMB Memorandum for\n                 Chief Information Officers of Executive Departments and Agencies: Transition to\n                 IPv6, dated September 28, 2010:\n\n                      \xef\x82\xb7   Extended the due date to the end of FY 2012 for public-facing servers and\n                          the end of FY 2014 for internal client applications that communicate with\n                          public Internet servers and supporting enterprise networks.\n\n                      \xef\x82\xb7   Specified that all agencies ensure that agency procurements of networked\n                          IT comply with FAR requirements for use of the USGv6 Profile and Test\n                          Program for the completeness and quality of their IPv6 capabilities.16\n\n                 Furthermore, the FAR states that a waiver is required from the agency\xe2\x80\x99s CIO\n                 when acquiring information technology that does not comply with IPv6.17\n\n                 OEI representatives indicated that they were aware of and included the TIC\n                 requirement in their original Request for Quote package. However, based on\n                 questions received from the vendor community, OEI believed that there were no\n                 known solutions to enable TIC provisioning by the provider. OEI explained that it\n                 made the choice to remove the TIC requirement because OEI believed that the\n                 TIC Reference Architecture provided for the hosting of unrestricted access\n                 services without a TIC. OEI indicated that, subsequent to the award, the EPA\xe2\x80\x99s\n                 CIO issued the Environmental Protection Agency Information Security Policy\n                 (CIO-2150.3) and associated procedures. OEI also indicated that the EPA\xe2\x80\x99s\n                 Senior Agency Information Security Officer stated that these procedures require\n                 that all the EPA services\xe2\x80\x94including unrestricted access services\xe2\x80\x94must be\n                 accessed through the TIC. Although the EPA indicated it was properly advised,\n                 the Environmental Protection Agency Information Security Policy only indicates\n                 that all remote access for moderate and high information systems and not all\n                 external connections, as required by OMB, must be routed through a limited\n                 number of managed access control points.\n\n                 OEI indicated that it requested IPv6 capability in the Performance Work\n                 Statement within the original Request for Quote package. However, OEI stated\n                 that the vendor indicated that it could not support IPv6 because the vendor had not\n                 implemented IPv6 across its external cloud services but that the vendor\n\n16\n   USGv6 is the name provided by NIST to the development of the technical infrastructure necessary to support\nwide-scale adoption of IPv6 in the U.S. government.\n17\n   48 CFR Subsection 11.002(g).\n\n\n14-P-0332                                                                                                       11\n\x0c            committed to providing an IPv6-compliant release by the end of 2013. In addition,\n            the contracting officer was unaware that a waiver needed to be issued by the CIO\n            prior to entering into contracts that did not meet the requirements for use of the\n            USGv6 Profile and Test Program for the completeness and quality of their IPv6\n            capabilities. The Office of Acquisition Management indicated that better training\n            could have made the contracting officer aware of the FAR\xe2\x80\x99s IPv6 requirements\n            and oversight may have detected the error.\n\n            The EPA incurred costs on the contract that could not be utilized for hosting\n            applications until a solution for TIC and IPv6 requirements were met.\n            We obtained all the invoices for the vendor\xe2\x80\x99s cloud environment. As of March\n            2014, the EPA incurred approved invoices associated with this contract totaling\n            $74,241 from July 6, 2012, to March 29, 2013. OEI indicated that the vendor\'s\n            cloud environment has been made to be IPv6 compliant and that traffic has been\n            routed through the EPA TIC; additionally, OEI has indicated that its Office of\n            Information Collection placed an application into production in the vendor\xe2\x80\x99s\n            cloud environment in March 2014. OEI indicated that there has been no activity\n            on the IaaS Cloud contract since last year, that the system was only placed in\n            production in March 2014 and that no invoice has yet been submitted for payment\n            for this activity by the vendor.\n\nAnalysis for Continued Use of IaaS Needs to Be Performed\n            OEI did not perform an analysis to determine whether it should continue with the\n            IaaS contract or use the resources for the external IaaS cloud environment on\n            other initiatives. Additionally, OEI has not performed an analysis for turning its\n            internal hosting into an internal private cloud that meets all of the NIST essential\n            characteristics of cloud computing.\n\n            On June 25, 2012, the EPA entered into a contract with a GSA-approved external\n            cloud provider for IaaS cloud computing services without performing a\n            cost-benefit analysis. Instead, OEI indicated that it pursued an indefinite\n            delivery/indefinite quantity contract to minimize their risk and cost exposure\n            while providing an opportunity to explore external cloud service options for the\n            EPA. OEI representatives indicated that the EPA wanted to provide its customers\n            with an external cloud option to supplement the EPA\xe2\x80\x99s internal hosting services,\n            which OEI referred to as a private cloud. The EPA renewed the contract for a\n            second year.\n\n            OEI indicated that to use the external cloud service offering, the application\n            owners would have to incur additional costs for OEI to develop services not\n            offered by the cloud provider and/or pay additional costs for premium services\n            offered by the cloud provider. OEI indicated that the costs of these services are\n            already included in the cost for hosting applications using the EPA\xe2\x80\x99s internal\n            hosting services. On April 25, 2013 (10 months into the contract which OEI\n            renewed), an OEI representative indicated that they:\n\n\n14-P-0332                                                                                       12\n\x0c                       \xef\x82\xb7    Now have a \xe2\x80\x9cpretty\xe2\x80\x9d clear understanding of the integration requirements,\n                            obstacles and/or gaps in capabilities associated with using the vendor\xe2\x80\x99s\n                            cloud offering.\n\n                        \xef\x82\xb7   Believed that given the additional costs necessary to address the gaps in\n                            the vendor\xe2\x80\x99s cloud offering, the cost of the vendor\xe2\x80\x99s cloud services would\n                            likely be equal to or greater than the cost to use the EPA\xe2\x80\x99s National\n                            Computer Center internal services.\n\n                   OEI also indicated that the EPA\xe2\x80\x99s internal hosting environment did not meet all of\n                   the essential characteristics of cloud computing as defined by NIST. OEI did not\n                   perform a documented analysis to determine whether it would be in the EPA\xe2\x80\x99s\n                   best interest to:\n\n                        \xef\x82\xb7   Convert the internal infrastructure to meet all of the NIST essential\n                            characteristics of cloud computing.\n\n                        \xef\x82\xb7   Continue operating as is without meeting the \xe2\x80\x9con-demand self-service\xe2\x80\x9d\n                            NIST characteristic of cloud computing.\n\n                   OMB Circular A-130 Revised indicates that agencies will integrate planning for\n                   information systems with plans for resource allocation and use, including\n                   budgeting, acquisition and use of information technology.18\n\n                   Reason for not performing a cost-benefit analysis for using an external\n                   vendor\xe2\x80\x99s cloud services: OEI indicated that it did not do a cost-benefit analysis\n                   associated with the vendor\xe2\x80\x99s contract for external cloud services because, when\n                   pursuing the contract, OEI understood that the federal cloud services landscape\n                   was relatively immature and evolving. Instead, OEI indicated that it pursued an\n                   indefinite delivery/indefinite quantity contract to minimize their risk and cost\n                   exposure while providing an opportunity to explore external cloud service options\n                   for the EPA.\n\n                   Reason for not performing cost-benefit analysis to convert its internal\n                   infrastructure services to meet all of the NIST essential characteristics of\n                   cloud computing: OEI indicated that it believed, based upon its experience, that:\n                       \xef\x82\xb7    Establishing self-service tools for the National Computer Center private\n                            cloud services would require a substantial investment that would not be\n                            cost effective for its limited market.\n\n                       \xef\x82\xb7    The integration of self-service IT resource allocation with Federal\n                            Information Security Management Act authorization and financial\n                            accountability would require a complex customization and ongoing\n                            maintenance in addition to a commercial off-the-shelf tool investment.\n\n18\n     OMB Circular A-130 Revised Section 8 Subsection a.(e).\n\n\n14-P-0332                                                                                              13\n\x0c               \xef\x82\xb7   There has been a low volume of requests for new servers and/or changes\n                   to resource allocations and OEI believed that making an investment in\n                   large-scale self service was not practical.\n\n            By not performing these analyses, the EPA does not know whether it would be\n            more beneficial to:\n\n               \xef\x82\xb7   Continue with the IaaS contract (including the investments the EPA would\n                   have to make to address the integration requirements, obstacles and gaps\n                   identified) or use the resources for the external IaaS cloud environment on\n                   other initiatives.\n\n               \xef\x82\xb7   Continue using the internal hosting services as-is or upgrade them to meet\n                   all the NIST characteristics of the cloud computing environment\n\nConclusions\n            The EPA entered into contracts for cloud computing services without being aware\n            of or following specific federal requirements. As a result, the EPA entered into and\n            paid for a contract that the EPA was not able to utilize for hosting applications until\n            21 months after the contract was signed.\n\nRecommendations\n            We recommend that the Assistant Administrator for Environmental Information:\n\n               3. Perform a formal documented analysis to determine whether it is in the\n                  EPA\xe2\x80\x99s best interest to continue with the IaaS contract or free the financial\n                  resources (including the investments the EPA would have to make to\n                  address integration requirements, obstacles and gaps identified) for other\n                  uses.\n\n               4. Prior to entering into any future IaaS contracts, perform a formal\n                  documented analysis to determine whether such contracts are in the EPA\xe2\x80\x99s\n                  best interest that includes the investments the EPA would have to make to\n                  address integration requirements, obstacles and gaps identified as a result\n                  of the current IaaS contract.\n\n               5. Modify the Information Security-Interim Access Control Procedures to\n                  adhere to the TIC Reference Architecture Document, which specifies that\n                  all external connections are secured through a TIC access point.\n\n               6. Perform a formal documented analysis to determine whether it is in the\n                  EPA\xe2\x80\x99s best interest to continue using the internal hosting services as-is or\n                  to upgrade them to establish an internal private cloud that meets all\n                  characteristics of the NIST definition of a cloud.\n\n\n14-P-0332                                                                                      14\n\x0c            We recommend that the Assistant Administrator for Administration and\n            Resources Management:\n\n               7. Establish guidance, formal oversight processes and training to ensure that\n                  the requirements for use of the USGv6 Profile and Test Program for the\n                  completeness and quality of their IPv6 capabilities are met within all\n                  applicable IT contracts or that a waiver is obtained from the EPA\xe2\x80\x99s CIO\n                  prior to issuing an applicable IT contract that does not meet the\n                  requirements, as required by the FAR.\n\nAgency Response to Draft Report and OIG Evaluation\n\n            We received responses to the draft report from the OEI and OARM and made\n            changes as needed. Appendix A contains the OEI responses and appendix B\n            contains the OARM responses, along with our comments.\n\n            OEI concurred with the recommendations in this chapter. However, OEI did not\n            provide sufficient information to allow us to determine whether its intended\n            actions would satisfy the intent of our recommendations.\n\n            OARM concurred with recommendation 7. This recommendation is resolved and\n            OARM indicated that it has taken actions to address the recommendation. We\n            confirmed that OARM took the specified actions. However, due to the time\n            constraints of the audit, we did not verify that the actions effectively corrected the\n            deficiency.\n\n\n\n\n14-P-0332                                                                                       15\n\x0c                                         Chapter 4\n     OEI Did Not Evaluate Whether Applications Could Be\n        Retired, Consolidated and Moved to the Cloud\n                 The EPA did not fully develop or implement a strategy to evaluate the EPA\xe2\x80\x99s\n                 entire portfolio of IT applications to determine which applications can be\n                 consolidated, retired or moved to the cloud. The Federal Cloud Computing\n                 Strategy indicates that successful organizations carefully consider their broad IT\n                 portfolios and create roadmaps for cloud deployment and migration. OMB\n                 Memorandum M-11-29 states that agency CIOs must focus on eliminating\n                 duplication and rationalize their agency\xe2\x80\x99s IT investments.19 OEI representatives\n                 indicated that they believed the responsibility for managing the assets in the\n                 agency\xe2\x80\x99s IT portfolio belonged to the agency\xe2\x80\x99s program and regional offices and\n                 not OEI. The EPA may not realize efficiencies that could be obtained by\n                 developing and implementing a strategy to evaluate the EPA\xe2\x80\x99s entire portfolio of\n                 IT applications to determine which applications can be consolidated, retired or\n                 moved to the cloud.\n\nOEI Did Not Evaluate Applications for Retirement, Consolidation and\nCloud Migration\n                 The EPA had not fully developed a strategy to evaluate applications for\n                 consolidating similar assets; retiring assets that have reached their end of life; and\n                 utilizing the cloud whenever a secure, reliable and cost-effective cloud option\n                 exists. The OEI indicated that:\n\n                     \xef\x82\xb7   The platform, used to support internal email, would not go away before\n                         FY 2019. Furthermore, OEI indicated that the platform that supported\n                         internal email also supported numerous agency-developed and commercial\n                         applications. OEI\xe2\x80\x99s plan focused only on moving the email component.\n\n                     \xef\x82\xb7   OEI performed an analysis that determined moving email to the cloud\n                         would not negatively impact the applications that remained on the\n                         platform also used for internal email.\n\n                     \xef\x82\xb7   OEI did not have or implement a strategy to identify which applications\n                         can be consolidated, retired or moved to the cloud or another platform for\n                         the more than 6,000 active applications that remained on the platform used\n                         for internal email.\n\n\n19\n     OMB Memorandum M-11-29 Point 2 Commodity IT.\n\n\n14-P-0332                                                                                            16\n\x0c                    Creating roadmaps for cloud deployment and migration provides the EPA the\n                    opportunity to focus on eliminating duplicate IT investments as required by OMB\n                    Memorandum M-11-29.\n\n                    The EPA\xe2\x80\x99s CIO and OEI have the responsibility to manage the EPA\xe2\x80\x99s IT\n                    portfolio, but OEI representatives indicated that OEI does not manage the IT\n                    portfolio for the agency. OEI representatives indicated that OEI supports the\n                    Capital Planning and Investment Control, System Life Cycle Management, and\n                    Enterprise Architecture processes that support investment owners in considering\n                    cloud options. The U.S. Clinger-Cohen Act specifies that agencies\xe2\x80\x99 CIOs are\n                    responsible for promoting the effective and efficient design and operation of all\n                    major information resources management processes for the executive agency.20\n                    OMB Memorandum M-11-29 adds additional responsibilities to the CIO,\n                    including the responsibility over the entire IT portfolio for an agency, to the\n                    statutory responsibilities provided through the Clinger-Cohen Act. The EPA\xe2\x80\x99s\n                    1200 Delegations Manual provides for the delegation of CIO responsibilities,\n                    including the responsibilities assigned to the CIO within the Clinger-Cohen Act.\n                    The manual did not specifically list instructions for the delegation of promoting\n                    the effective and efficient design and operation of all the agency\xe2\x80\x99s major\n                    information resources or the CIO\xe2\x80\x99s responsibility over the entire IT portfolio. The\n                    manual did indicate that the CIO\xe2\x80\x99s responsibilities not specifically listed in the\n                    manual may be delegated to OEI\xe2\x80\x99s office directors, who may only redelegate\n                    these authorities to the division director level or equivalent.\n\n                    By not evaluating the IT portfolio and creating roadmaps, the EPA may not\n                    realize efficiencies that could be obtained by moving to the cloud, consolidating\n                    similar assets, and retiring assets that have reached their end of life. These\n                    applications may have owners in different program offices. As a result, if not\n                    managed centrally, there is an increased possibility that multiple systems\n                    performing similar functions would not be consolidated. This may result in the\n                    EPA missing the opportunity to reduce redundant costs. This analysis and\n                    associated roadmaps should not be limited to the applications remaining on the\n                    platform that supported internal email, but should be extended to the EPA\xe2\x80\x99s entire\n                    IT portfolio.\n\nConclusions\n                    The OMB Memorandum M-11-29 and Federal Cloud Computing Strategy\n                    provide guidance for consolidating IT assets and developing cloud roadmaps. By\n                    not centrally managing the EPA\xe2\x80\x99s entire IT portfolio as a whole, the EPA could\n                    be missing the opportunity to reduce redundant costs.\n\n\n\n\n20\n     40 U.S. Code Subtitle III Subsection 11315(b)(3).\n\n\n14-P-0332                                                                                            17\n\x0cRecommendations\n            We recommend that the Assistant Administrator for Environmental Information:\n\n                8. Develop and implement a strategy to perform a documented analysis of\n                   the applications remaining on the platform that supported the EPA\xe2\x80\x99s\n                   internal email to determine which applications should be consolidated,\n                   retired and/or moved to the cloud or another platform.\n\n               9.   Develop and implement a strategy to perform a documented analysis of\n                    all of the EPA\xe2\x80\x99s applications to determine which applications should be\n                    consolidated, retired and/or moved to the cloud.\n\n               10. Create and follow a formal process to implement the consolidation,\n                   retirement and/or cloud migration of applications as identified in response\n                   to recommendations 8 and 9.\n\nAgency Response to Draft Report and OIG Evaluation\n\n            We received a response to the draft report from the OEI and made changes as\n            needed. Appendix A contains the OEI response along with our comments.\n\n            OEI did not concur with the recommendations in this chapter and offered alternate\n            recommendations. We did not accept the proposed alternative recommendations.\n            OEI did not provide sufficient information to allow us to determine whether its\n            intended actions would satisfy the intent of our recommendations.\n\n\n\n\n14-P-0332                                                                                     18\n\x0c                                              Chapter 5\n         Improvements Needed in Documented Processes\n                   for Cloud Implementation\n                   The EPA\xe2\x80\x99s policies and procedures for moving to the cloud are incomplete and\n                   need improvement. OMB Circular A-123, Management\xe2\x80\x99s Responsibility for\n                   Internal Control, specifies that management is responsible for developing and\n                   implementing effective internal controls, including policies and procedures.21\n                   Although OEI recognized the need for these additional policies and procedures,\n                   it was not made a priority, resulting in OEI indicating during a briefing with the\n                   OIG that the additional policies and procedures were no longer needed. Without\n                   fully developed and implemented formal policies and procedures, EPA\n                   management does not have reasonable assurance that the agency\xe2\x80\x99s migration to the\n                   cloud will be effective, efficient, and in compliance with applicable laws and\n                   regulations.\n\nCloud Computing Policies and Procedures Need Improvement\n                   The EPA\xe2\x80\x99s policies and procedures for cloud computing are incomplete and need\n                   improvement. The policies and procedures did not include guidance that should\n                   be included based on the 25 Point Implementation Plan to Reform Federal IT and\n                   Federal Cloud Computing Strategy. For example, the policies and procedures did\n                   not provide detailed instructions for application owners to use for:\n\n                       \xef\x82\xb7    Assessing and classifying applications in the EPA\xe2\x80\x99s IT portfolio for\n                            moving to the cloud\n                       \xef\x82\xb7    Creating roadmaps for cloud deployment and migration.\n                       \xef\x82\xb7    Evaluating whether a secure, reliable and cost-effective cloud option exists\n                            for all new applications and, if so, ensuring that a cloud-based solution is\n                            used.\n\n                   The EPA has the following guidance documents which address cloud migration:\n\n                       \xef\x82\xb7    Assistant Administrator and CIO Memorandum (January 2011) addressing\n                            the White House\xe2\x80\x99s 25-Point Implementation Plan to Reform Federal\n                            Information Technology Management.\n                       \xef\x82\xb7    Assistant Administrator and CIO Memorandum (September 2011)\n                            regarding Cloud Computing Services Security Requirements.\n                       \xef\x82\xb7    System Life Cycle Management Policy and Procedure (September 2012).\n                       \xef\x82\xb7    EPA Enterprise Roadmap 2012\n\n\n\n21\n     OMB Circular A-123 Sections I and IIC.\n\n\n14-P-0332                                                                                            19\n\x0c            Notwithstanding these documents, OEI recognized the need for additional policies\n            and procedures associated with cloud computing. In OEI\xe2\x80\x99s Quality Technology\n            Subcommittee Briefing: EPA Cloud Computing Strategy Update, presented on\n            July 21, 2011, OEI identified to EPA management the need to:\n\n               \xef\x82\xb7\xef\x80\xa0 Develop readiness assessment criteria for applications to migrate to the\n                  cloud.\n               \xef\x82\xb7\xef\x80\xa0 Assess all the EPA applications and develop a migration schedule for\n                  migrating to the cloud.\n\n            In addition, as of May 2013, OEI also listed the development of a cloud policy as\n            a medium priority on its policy agenda. This agenda indicated the description of\n            this cloud policy was to cover the requirements for the EPA offices that wanted to\n            use cloud-based solutions. In November 2013, OEI stated that the cloud policy on\n            the agenda was no longer needed. While OEI believes this policy to no longer be\n            necessary, management had not taken steps to include these improvements to the\n            cloud policies and procedures previously listed or develop additional cloud\n            policies and procedures.\n\n            The Federal Cloud Computing Strategy and the 25 Point Implementation Plan to\n            Reform Federal IT provide guidance for assessing if and when applications can be\n            moved to the cloud based on readiness and value. For example, the strategy\n            indicates that agencies should carefully consider their broad IT portfolios and\n            create roadmaps for cloud deployment and migration. Additionally, the 25 Point\n            Implementation Plan to Reform Federal IT requires that agencies default to cloud-\n            based solutions for new IT deployments whenever a secure, reliable, cost-\n            effective cloud option exists.\n\nConclusions\n            The responsibility for developing internal controls, including policies and\n            procedures, falls upon management. EPA management did not fulfill its\n            responsibility when it did not develop complete policies and procedures for\n            moving to the cloud. Improvements in documented processes for cloud\n            implementation can minimize the waste of money and resources and help ensure\n            that the EPA\xe2\x80\x99s migration to the cloud adheres to IT laws and regulations. Without\n            fully developed formal policies and procedures for migrating to the cloud, EPA\n            management does not have reasonable assurance that the agency\xe2\x80\x99s migration will\n            be effective, efficient, and in compliance with applicable laws and regulations.\n\n\n\n\n14-P-0332                                                                                    20\n\x0cRecommendation\n             We recommend that the Assistant Administrator for Environmental Information:\n\n                11. Publish detailed instructions for agency programs to use when considering\n                    moving applications to the cloud that fully addresses federal guidance,\n                    including but not limited to such areas as:\n\n                        a. Assessing and classifying applications for cloud migration.\n                        b. Creating cloud migration roadmaps.\n                        c. Performing a documented analysis to determine whether a secure,\n                           reliable and cost-effective cloud option exists for all new\n                           applications.\n\nAgency Response to Draft Report and OIG Evaluation\n      OEI concurred with recommendation 11. However, OEI did not provide sufficient\n      information to allow us to determine whether its intended actions would satisfy the intent\n      of our recommendations.\n\n\n\n\n14-P-0332                                                                                     21\n\x0c                             Status of Recommendations and\n                               Potential Monetary Benefits\n                                                                                                                             POTENTIAL MONETARY\n                                                RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                 Planned\n Rec.   Page                                                                                                    Completion   Claimed    Agreed-To\n No.     No.                         Subject                            Status1        Action Official             Date      Amount      Amount\n\n  1      8     Develop and implement an internal independent              U       Assistant Administrator for\n               oversight process to ensure that documented cost-                  Environmental Information\n               benefit analyses are performed in compliance with\n               the proper OMB circular prior to OEI outsourcing IT\n               initiatives.\n\n  2      8     Develop and conduct training and provide oversight         C       Assistant Administrator for    12/19/13\n               to help ensure contracting officers:                                  Administration and\n                 a. Issue cure notices when they become aware                      Resources Management\n                    that a vendor will not meet its contractual\n                    obligations.\n                 b. Negotiate equitable price reductions when\n                    vendors are not able to fulfill their contractual\n                    obligations.\n                 c. Add written amendments to contracts for all\n                    contract modifications.\n  3      14    Perform a formal documented analysis to                    U       Assistant Administrator for\n               determine whether it is in the EPA\xe2\x80\x99s best interest to              Environmental Information\n               continue with the IaaS contract or free the financial\n               resources (including the investments the EPA\n               would have to make to address integration\n               requirements, obstacles and gaps identified) for\n               other uses.\n\n  4      14    Prior to entering into any future IaaS contracts,          U       Assistant Administrator for\n               perform a formal documented analysis to                            Environmental Information\n               determine whether such contracts are in the EPA\xe2\x80\x99s\n               best interest that includes the investments the EPA\n               would have to make to address integration\n               requirements, obstacles and gaps identified as a\n               result of the current IaaS contract.\n\n  5      14    Modify the Information Security-Interim Access             U       Assistant Administrator for\n               Control Procedures to adhere to the TIC Reference                  Environmental Information\n               Architecture Document, which specifies that all\n               external connections are secured through a TIC\n               access point.\n\n  6      14    Perform a formal documented analysis to                    U       Assistant Administrator for\n               determine whether it is in the EPA\xe2\x80\x99s best interest to              Environmental Information\n               continue using the internal hosting services as-is or\n               to upgrade them to establish an internal private\n               cloud that meets all characteristics of the NIST\n               definition of a cloud.\n\n  7      15    Establish guidance, formal oversight processes             C       Assistant Administrator for    10/14/13\n               and training to ensure that the requirements for use                  Administration and\n               of the USGv6 Profile and Test Program for the                       Resources Management\n               completeness and quality of their IPv6 capabilities\n               are met within all applicable IT contracts or that a\n               waiver is obtained from the EPA\xe2\x80\x99s CIO prior to\n               issuing an applicable IT contract that does not\n               meet the requirements, as required by the FAR.\n\n\n\n\n14-P-0332                                                                                                                                      22\n\x0c                                                                                                                               POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                             BENEFITS (in $000s)\n\n                                                                                                                   Planned\n    Rec.    Page                                                                                                  Completion   Claimed    Agreed-To\n    No.      No.                          Subject                         Status1        Action Official             Date      Amount      Amount\n\n     8       18    Develop and implement a strategy to perform a            U       Assistant Administrator for\n                   documented analysis of the applications remaining                Environmental Information\n                   on the platform that supported the EPA\xe2\x80\x99s internal\n                   email to determine which applications should be\n                   consolidated, retired and/or moved to the cloud or\n                   another platform.\n\n     9       18    Develop and implement a strategy to perform a            U       Assistant Administrator for\n                   documented analysis of all of the EPA\xe2\x80\x99s                          Environmental Information\n                   applications to determine which applications should\n                   be consolidated, retired and/or moved to the cloud.\n\n    10       18    Create and follow a formal process to implement          U       Assistant Administrator for\n                   the consolidation, retirement and/or cloud migration             Environmental Information\n                   of applications as identified in response to\n                   recommendations 8 and 9.\n\n    11       21    Publish detailed instructions for agency programs        U       Assistant Administrator for\n                   to use when considering moving applications to the               Environmental Information\n                   cloud that fully addresses federal guidance,\n                   including but not limited to such areas as:\n                      a. Assessing and classifying applications for\n                         cloud migration.\n                      b. Creating cloud migration roadmaps.\n                      c. Performing a documented analysis to\n                         determine whether a secure, reliable and\n                         cost-effective cloud option exists for all new\n                         applications.\n\n\n\n\n1   O = Recommendation is open with agreed-to corrective actions pending.\n    C = Recommendation is closed with all agreed-to actions completed.\n    U = Recommendation is unresolved with resolution efforts in progress.\n\n\n\n\n14-P-0332                                                                                                                                        23\n\x0c                                                                                    Appendix A\n\n\n    OEI Response to Draft Report and OIG Comments\n                                        (June 4, 2014)\n\n\n\nMEMORANDUM\n\nSUBJECT:        Response to Office of Inspector General Draft Report No. OA-FY13-0095,\n               \xe2\x80\x9cCloud Oversight Results in Unsubstantiated and Missed Opportunities for\n               Savings, Unused and Undelivered Services, and Incomplete Policies,\xe2\x80\x9d dated April\n               30, 2014\n\nFROM:          Renee P. Wynn /s/\n               Acting Assistant Administrator and Chief Information Officer\n\nTO:            Arthur A. Elkins, Jr.\n               Inspector General\n\n\nThank you for the opportunity to respond to the issues and recommendations in the subject draft\naudit report. Following is a summary of the Office of Environmental Information\xe2\x80\x99s (OEI)\noverall position, along with its position on each of the draft report recommendations. For those\ndraft report recommendations with which the OEI agrees, we have provided high-level intended\ncorrective actions and estimated completion dates to the extent we can. For those report\nrecommendations with which the OEI does not agree, we have explained our position and\nproposed alternatives to recommendations to the extent we can.\n\nOEI\xe2\x80\x99s Overall Position\nThe OEI recommends the title of the report be revised and believes some of the content of the\nreport goes beyond the scope of the audit. The OEI concurs on five of the nine OEI\nrecommendations. The OEI disagrees with four of the nine OEI recommendations. Please note\nthat the Office of Administration and Resources Management provided their separate response to\nthe Office of Inspector General.\n\nAttached is OEI\xe2\x80\x99s corrective action plan with additional details. If you have any questions or\nconcerns about this response, please feel free to contact Harrell Watkins, Acting Director, Office\nof Technology Operations and Planning, at 202-566-0672.\n\nAttachment\n\n\n\n\n14-P-0332                                                                                       24\n\x0c                     OFFICE OF ENVIRONMENTAL INFORMATION (OEI)\n                       RESPONSE TO REPORT RECOMMENDATIONS\n                               CORRECTIVE ACTION PLAN\n\nOIG Draft Report No. OA-FY13-0095, \xe2\x80\x9cCloud Oversight Results in Unsubstantiated and Missed\nOpportunities for Savings, Unused and Undelivered Services, and Incomplete Policies,\xe2\x80\x9d dated\nApril 30, 2014.\n\nNote: The Office of Administration and Resources Management has the lead to respond to OIG\nrecommendations 2, 3, and 8 which is being provided separately to OIG.\n\nAGREEMENTS\n\nOIG Recommendation 4 (Lead Office: OEI/OTOP/NCC)\nPerform a formal documented analysis to determine whether it is in the EPA\xe2\x80\x99s best interest to continue\nwith the IaaS contract or free the financial resources (including the investments the EPA would have to\nmake to address integration requirements, obstacles and gaps identified) for other uses.\n\nCorrective Action:\nOEI Concurs on the Recommendation \xe2\x80\x93 OEI will perform a documented analysis on whether it is in the\nEPA\xe2\x80\x99s best interest to continue with the IaaS contract.\n\nEstimated Completion Date: 9/30/2014\n\n OIG Comment: OEI indicated that it concurs with the recommendation, but its response did\n not provide sufficient information on the intended corrective action to allow us to properly\n determine whether the intent of the recommendation is satisfied.\n\nDiscussion of OIG Findings:\nChapter 3: Improvements needed in Infrastructure-as-a-Service Cloud Implementation\nOEI does not agree with the conclusion reached in Chapter 3 that OEI was and is unable to use the\ncontract for IaaS Cloud Services. OEI did use the contract for IaaS services and paid only for the services\nit used.\n\nFederal cloud computing was, and continues to be, an emerging and rapidly changing technology\narea. Likewise federal regulations and guidance governing information systems operations, security and\nprocurement were and are evolving and changing to adapt to the cloud computing context. The\ncombination of changing technology, regulations and guidance produce an implementation context of\nhigh uncertainty.\n\nGiven the context of uncertainty, OEI\xe2\x80\x99s approach was prudent and productive. OEI pursued a contracting\nmethod (indefinite delivery with indefinite quantity) that allowed EPA to test and evaluate the provider\xe2\x80\x99s\nIaaS cloud technologies and services at a reasonable cost while providing for expansion if or when it was\nneeded. With this contract EPA pays only for the resources consumed with a $50,000 annual minimum.\nThis methodology mitigated both costs and risks associated with exploring the emerging technology.\n\nIt is a recognized industry best practice to test and evaluate complex technologies prior to broad scale\nadoption. As noted in the audit, OEI consumed $74, 241 in services or $24,241 over the minimum annual\namount. These costs incurred were reasonable costs for services consumed given the scope and\n\n\n\n14-P-0332                                                                                                 25\n\x0ccomplexity of the technology involved. OEI received tangible benefit from the hands-on experience\ngained by testing the technologies, methods and procedures used for deploying and operating systems\nwithin specific context of the provider\xe2\x80\x99s IaaS cloud solution. Finally, as noted in the audit, the service\nprovider mitigated the IPv6 deficiency within the time period provided by the contract and EPA is now\nhosting a production application using the services.\n\nOIG Recommendation 5 (Lead Office: OEI/OTOP/NCC)\nPrior to entering into any future IaaS contracts, perform a formal documented analysis to determine\nwhether such contracts are in the EPA\xe2\x80\x99s best interest. That includes the investments the EPA would have\nto make to address integration requirements, obstacles and gaps identified as a result of the current IaaS\ncontract.\n\nCorrective Action:\nOEI Concurs on the Recommendation \xe2\x80\x93 OEI will perform a formal analysis to determine whether such\ncontracts are in the EPA\xe2\x80\x99s best interest prior to entering into any future IaaS contract.\n\nEstimated Completion Date: TBD\n\n OIG Comment: OEI indicated that it concurs with the recommendation, but its response did\n not provide sufficient information on the intended corrective action to allow us to properly\n determine whether the intent of the recommendation is satisfied.\n\nOIG Recommendation 6 (Lead Office: OEI/SAISO)\nModify the Information Security-Interim Access Control Procedures to adhere to the TIC Reference\nArchitecture Document, which specifies that all external connections are secured through a TIC access\npoint.\n\nCorrective Action:\nOEI Concurs on the Recommendation \xe2\x80\x93 The SAISO is in the process of updating the interim control\nprocedures to reflect NIST SP800-53 rev 4, and will ensure the AC procedure includes appropriate\nreference guidance from the Department of Homeland Security\xe2\x80\x99s Trusted Internet Connections (TIC)\nReference Architecture Document Version 2.0 (October 1, 2013).\n\nEstimated Completion Date: 12/31/2014\n\n OIG Comment: OEI indicated that it concurs with the recommendation, but its response did\n not provide sufficient information on the intended corrective action to allow us to properly\n determine whether the intent of the recommendation is satisfied.\n\nOIG Recommendation 7 (Lead Office: OEI/OTOP/NCC)\nPerform a documented analysis to determine whether it is in the EPA\xe2\x80\x99s best interest to continue using the\ninternal hosting services as-is or to upgrade them to establish an internal private cloud that meets all\ncharacteristics of the NIST definition of a cloud.\n\nCorrective Action:\nOEI concurs on the Recommendation \xe2\x80\x93 OEI will perform an analysis to determine whether it is in the\nEPA\xe2\x80\x99s best interest to continue using the internal hosting as-is or to upgrade to an internal private cloud.\n\n\n\n\n14-P-0332                                                                                                    26\n\x0cEstimated Completion Date: 9/30/2014\n\n OIG Comment: OEI indicated that it concurs with the recommendation, but its response did\n not provide sufficient information on the intended corrective action to allow us to properly\n determine whether the intent of the recommendation is satisfied.\n .\nOIG Recommendation 12 (Lead Office: OEI/OTOP/MISD)\nPublish detailed instructions for agency programs to use when considering moving applications to the\ncloud that fully addresses federal guidance, including but not limited to such areas as:\n    a. Assessing and classifying applications for cloud migration.\n    b. Creating cloud migration roadmaps.\n    c. Performing a documented analysis to determine whether a secure, reliable and cost-effective cloud\n      option exists for all new applications.\n\nCorrective Action:\nOEI concurs that some specific guidance for helping assess whether migrating to the cloud is a viable\noption could be helpful to program managers. However, we would note that such guidance should be\nbased not only on Federal policy, but on our own lessons learned. Thus we would put more emphasis on\nsub-items a and c, which focus on evaluating options, than on item b, which seems to indicate a\npreference for cloud migration. Our completion date will be contingent upon the evaluation of our\nlessons learned, which will continue through the SharePoint deployment set to launch in early summer.\nWe also request clarification on whether the term \xe2\x80\x9capplications\xe2\x80\x9d under item c refers to applications as we\nhave defined them in this document.\n\nEstimated Completion Date: 5/29/2015\n\n OIG Comment: OEI indicated that it concurs with the recommendation, but its response did\n not provide sufficient information on the intended corrective action to allow us to properly\n determine whether the intent of the recommendation is satisfied. In contrast to OEI\xe2\x80\x99s\n definition of an application as being a generic term that refers to stand-alone software\n systems, NIST SP 800-37 revision 1 defines an application as a software program hosted by\n an information system.\n\nDiscussion of OIG Findings:\nChapter 5: Improvements Needed in Documented Process for Cloud Implementation\nAs noted in the comments to Chapter 4, it is not appropriate draft findings or to make recommendations\nconcerning \xe2\x80\x9capplications in the EPA\xe2\x80\x99s IT Portfolio.\xe2\x80\x9d Applications and the IT portfolio are different\nitems, with different lifecycles and governance. Any guidance that OEI develops for cloud migration\nwould likely have to provide tailoring differences for evaluating applications versus evaluating Capital\nPlanning and Investment Control (CPIC) investments.\n\n\n\n\n14-P-0332                                                                                                  27\n\x0cDISAGREEMENTS\n\nReport Title\nOEI respectfully requests the OIG change the title of this report to more accurately reflect the purpose and\nnature of the findings of this audit. A suggested title is \xe2\x80\x9cImprovements Needed in Implementing Cloud\nInitiatives.\xe2\x80\x9d\n\nDiscussion of OIG Findings:\nChapter 4: OEI Did Not Evaluate Whether Applications Could Be Retired, Consolidated and Moved to\nthe Cloud\nChapter 5: Improvements Needed in Documented Processes for Cloud Implementation\nThe OIG\xe2\x80\x99s stated purpose for this audit was to determine whether EPA had 1) implemented its cloud\ninitiatives in accordance with the Federal Cloud Computing Strategy and 2) developed formal processes\nto monitor cloud vendors. However, the OIG went on to include others in its report and recommendations\narea not associated with its stated purpose, see Chapter 4 \xe2\x80\x9cOEI Did Not Evaluate Whether Applications\nCould Be Retired, Consolidated and Moved to the Cloud\xe2\x80\x9d and Chapter 5 \xe2\x80\x9cImprovements Needed in\nDocumented Processes for Cloud Implementation.\xe2\x80\x9d Chapter 4 discusses EPA\xe2\x80\x99s overall information\nportfolio which in many cases was untouched by the move from Lotus Notes to a suite of Microsoft tools,\nincluding email. Chapter 5 focuses on EPA\xe2\x80\x99s policies and procedures for moving to the cloud. The\naddition of this chapter was not covered by the purpose of the audit and should not be included in this\nreport.\n\n OIG Comment: The Federal Cloud Computing Strategy indicates that cloud computing has\n the potential to address inefficiencies that negatively impact the federal government\xe2\x80\x99s ability to\n serve the American public. These inefficiencies include: low asset utilization, a fragmented\n demand for resources, duplicative systems, environments which are difficult to manage, and\n long procurement lead times. We conclude this to mean that the management of IT investments\n to eliminate these inefficiencies is a part of the Federal Cloud Computing Strategy.\n\n We conclude that the policies and procedures addressed in chapter 5 are essential for following\n federal cloud computing strategy. OMB Circular A-123 indicates that internal control activities\n such as policies and procedures help ensure that agency objectives, such as effectiveness and\n efficiency of operations and compliance with applicable laws and regulations, are met.\n\nOIG Recommendation 1 (Lead Office: OEI/OTOP/MISD)\nDevelop and implement an internal independent oversight process to ensure that a justification for the use\nof either OMB Circular A-94 Revised or OMB Circular A-76 Revised is documented and that\ndocumented cost-benefit analyses are performed in compliance with the proper OMB circular prior to\nOEI outsourcing IT initiatives.\n\nExplanation for Disagreement:\nFollowing are the reasons OEI does not concur with this recommendation:\n\n1. OMB Circular A-76 is not relevant to \xe2\x80\x9coutsourcing IT initiatives.\xe2\x80\x9d The purpose of OMB Circular A-\n   76 is to assess whether work performed by government staff is inherently governmental or whether it\n   could be provided by the private sector. There is little to be gained by evaluating whether to conduct\n   an A-76 analysis.\n\n\n\n\n14-P-0332                                                                                                28\n\x0c2. The phrase \xe2\x80\x9coutsourcing IT initiatives\xe2\x80\x9d is vague. We think it is appropriate to distinguish investment\n   in the IT portfolio, which are subject to OMB\xe2\x80\x99s CPIC process, from IT applications, which are much\n   smaller programs and locally managed. The rigor needed for the cost analysis around an IT\n   investment is much higher than the rigor needed for the cost analysis around an application.\n\n3. There are additional initiatives underway that lend guidance to how OEI should address cost\n   estimating.\n\n              a. In response to GAO-12-629, Information Technology Cost Estimation: Agencies Need to\n                 Address Significant Weaknesses in Policies and Practices, OEI has incorporated the GAO\n                 Cost Estimating and Assessment guide by reference into its System Life Cycle\n                 Management (SLCM) procedure for the definition phase. The GAO guide covers many\n                 of the elements listed in Circular A-94. However, while Circular A-94 is about 4 pages\n                 long, the GAO guide is almost 400 pages.\n\n              b. In support of its ongoing work with OMB\xe2\x80\x99s PortfolioStat, EPA is expanding the role of\n                 its Information Investment Subcommittee to an Information Investment Review Board\n                 (IIRB). This board is chartered to mature investment and portfolio management within\n                 EPA. This would be the appropriate \xe2\x80\x9cinternal independent\xe2\x80\x9d body to assess the level of\n                 rigor needed respectively for CPIC Major, Medium, Lite, and Small/Other investments.\n\nProposed Alternative:\nOEI proposes that recommendation #1 be replaced with a recommendation that as one of its first-year\nobjectives, the IIRB expand upon the text currently in the SLCM to provide minimum guidelines for cost\nestimates and cost-benefits analyses, based on the distinction between CPIC levels.\n\n     OIG Comment: OEI indicated that it disagrees with the recommendation and offered an\n     alternative recommendation. However, OEI\xe2\x80\x99s alternate recommendation did not provide\n     sufficient information on the intended corrective action to allow us to properly determine\n     whether the intent of the recommendation is satisfied.\n\nDiscussion of OIG Findings:\nChapter 2: Improvements needed in Email Cloud Implementation.\nThis chapter includes a critique of the cost-benefit analysis developed in the business case that was used\nto make a decision whether to migrate email to the cloud. It states that the analysis \xe2\x80\x9cdid not adhere with\nEPA and federal guidance22.\xe2\x80\x9d Specifically, the auditor calls out that the cost benefit analysis may include\nsunk costs, and that this is counter to the guidance in OMB Circular A-94.\n\nOEI is not in complete agreement that the costs referred to by the auditor as sunk costs do completely\nrepresent sunk costs, as we believe they include capital refresh as well. Nonetheless, OEI acknowledges\nthat given the tight timeframes around this project, the initial cost benefit analysis did not include all\nelements in the OMB A-94 guidelines. It was conducted to provide input to the decision whether to\nproceed; we understood that we would update the return on investment calculations as the project\nprogressed.\n\n\n22\n We believe that in stating that OEI did not follow EPA guidance, the auditor is referring to the System Life Cycle\nManagement (SLCM) policy. We would like to note that the initial cost estimate was conducted in April 2012,\nwhereas the current policy was not signed until September 2012.\n\n\n14-P-0332                                                                                                        29\n\x0cThe report also faults the cost analysis on the premise that \xe2\x80\x9cOMB Circular A-76 indicates that the cost of\ncontract performance should be based on the price to perform the requirements of the Performance Work\nStatement, as presented by the offeror to compete with the in-house workforce. OEI used estimates for\nmigrating to the cloud and did not use the offeror\xe2\x80\x99s price.\xe2\x80\x9d OEI considers this critique unfounded. First,\nwe do not believe that OMB Circular A-76 is relevant to this transaction. This project replaced one\ncommercial email system with another, and had nothing assessing whether the work performed was not\ninherently government and should be performed by the private sector. Second, the purpose of the cost\nbenefit analysis was to inform the decision whether to move forward with the cloud migration; it thus\npreceded the acquisition activity, and could not have included the offeror\xe2\x80\x99s price. The offeror\xe2\x80\x99s price was\nlater incorporated into an update of the initial analysis.\n\nOIG Recommendation 9 (Lead Office: OEI/OTOP/MISD)\nDevelop and implement a strategy to perform a documented analysis of the assets remaining on the\nplatform that supported the EPA\xe2\x80\x99s internal email to determine which assets should be consolidated,\nretired and moved to the cloud or another platform.\n\nExplanation for Disagreement:\nOEI believes we need to take some time to document and consider lessons learned from our cloud\nmigrations prior to starting the task of developing roadmaps. These lessons learned will be very helpful\nin addressing recommendation #12, \xe2\x80\x9cPublish detailed instructions for agency programs to use when\nconsidering moving applications to the cloud.\xe2\x80\x9d For example, we still need to assess SharePoint when it\ndeploys, as it might provide a proper bed for the applications. We do concur with recommendation #12,\nand would consider that a precursor to addressing recommendations 9 \xe2\x80\x93 11.\n\nProposed Alternative:\nOEI proposes that we need to assess current lessons learned on cloud migration before mandating a full\nanalysis of all applications for migration. For example, we need to assess the ability of SharePoint to host\n(and even evaluate) applications. We also believe that it is plausible that allowing the migration to\nhappen organically via the application lifecycle process could be more to the agency\xe2\x80\x99s advantage than\nevaluating all of them at once in order to create a single comprehensive roadmap.\n\n\n OIG Comment: OEI indicated that it disagrees with the recommendation and offered an\n alternative recommendation. However, the alternate recommendation did not provide\n sufficient information on the intended corrective action to allow us to properly determine\n whether the intent of the recommendation is satisfied.\n\nOIG Recommendation 10 (Lead Office: OEI/OTOP/MISD)\nDevelop and implement a strategy to perform a documented analysis of all the assets in the EPA\xe2\x80\x99s IT\nportfolio to determine which assets should be consolidated, retired and moved to the cloud.\n\nExplanation for Disagreement:\nOEI does not concur, on the basis that this is a broad portfolio management initiative, broader than just\ncloud migration, and is being addressed separately via the new IIRB. The IIRB first-year objectives\ninclude a mandate from GAO to \xe2\x80\x9cidentify criteria for identifying wasteful, low-value, or duplicative\ninvestments.\xe2\x80\x9d These criteria could include reference to whether cloud migrations have been considered.\n\n\n\n\n14-P-0332                                                                                                30\n\x0cProposed Alternative:\nOEI proposes allowing the first-year objective of the IIRB to serve as a proxy for this recommendation.\n\n OIG Comment: OEI indicated that it disagrees with the recommendation and offered an\n alternative recommendation. However, the alternate recommendation did not provide\n sufficient information on the intended corrective action to allow us to properly determine\n whether the intent of the recommendation is satisfied.\n\nOIG Recommendation 11 (Lead Office: OEI/OTOP/MISD)\nCreate and follow a roadmap to implement the consolidation, retirement and cloud migration of IT assets\nas identified in response to recommendations 9 and 10.\n\nExplanation for Disagreement:\nOEI would need to complete its proposed alternative responses to recommendations 9 and 10 before\ncommenting on the appropriateness of this recommendation. We may find that this course of action is\nstill appropriate, or we may identify an alternative course of action.\n\n OIG Comment: OEI indicated that it disagrees with the recommendation and offered an\n alternative recommendation. However, the alternate recommendation did not provide\n sufficient information on the intended corrective action to allow us to properly determine\n whether the intent of the recommendation is satisfied.\n\nDiscussion of OIG Findings:\nChapter 4: OEI Did Not Evaluate Whether Applications Could be Retired, Consolidated, and Moved to\nthe Cloud\nIn order to comment on this chapter, OEI needs to reiterate the distinction between \xe2\x80\x9capplications\xe2\x80\x9d and the\n\xe2\x80\x9cIT portfolio.\xe2\x80\x9d These are two different items and are managed in different ways. The term \xe2\x80\x9cIT Portfolio\xe2\x80\x9d\ndescribes all CPIC major, medium, lite, and other investments. The IT portfolio currently consists of\nabout 120 investments. It is managed by the IIRB (described above), and the IIRB is co-chaired by the\nDeputy CIO and the Deputy CFO. \xe2\x80\x9cApplication\xe2\x80\x9d is a generic term that refers to stand-alone software\nsystems, the bulk of which are home-grown and designed to meet specific, local needs. EPA evaluated\nover 6,000 applications to ensure that the migration of email to the cloud would not break their\nfunctionality. Applications are managed locally throughout their lifecycle and are not part of the \xe2\x80\x9cIT\nPortfolio\xe2\x80\x9d and its governance processes described above.\n\nThis is an important distinction because the report states on page 17 that \xe2\x80\x9cOEI representatives indicated\nthat OEI does not manage the IT portfolio for the agency\xe2\x80\xa6\xe2\x80\x9d then goes on to refute that statement from a\npolicy basis. The OEI representatives made this statement in the context of applications, which are not\nunder IIRB governance, rather than the IT portfolio. OEI believes this paragraph is misleading and\nshould be removed.\n\n OIG Comment: OMB Memorandum M-13-09 indicates that \xe2\x80\x9cAs the Federal government\n implements the reform agenda, it is changing the role of Agency Chief Information Officers\n (CIOs) away from just policy making and infrastructure maintenance, to encompass true\n portfolio management for all IT.\xe2\x80\x9d We conclude that the IT portfolio includes all IT.\n\n\n\n\n14-P-0332                                                                                                 31\n\x0c                                                                                     Appendix B\n\n\n OARM Response to Draft Report and OIG Comments\n                                               (May 30, 2014)\n\n\n                          UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WASHINGTON, D.C. 20460\n\n\n\n                                                                                          OFFICE OF\n                                                                                        ADMINISTRATION\n                                                                                        AND RESOURCES\n                                                                                         MANAGEMENT\n\n\nMEMORANDUM\n\nSUBJECT:       Response to Revised Audit Report OA-FY13-0095: Cloud Oversight Resulted in\n               Unsubstantiated and Missed Opportunities for Savings, Unused and Undelivered\n               Services, and Incomplete Policies\n\nFROM:          Craig E. Hooks, Assistant Administrator\n\nTO:            Arthur A. Elkins, Jr.\n               Inspector General\n\nOARM has reviewed revised OIG audit OA-FYB-0095, and provides the following response to\nnew and existing audit findings.\n\n                           OARM Recommendations and Responses\n\nRecommendation 2: Determine the difference in cost between not moving all the email to\nthe cloud within the agreed-to time frames as specified in the contract and just moving 30\ndays of email, and seek an equitable reduction in price.\n\nOARM Response: In the draft report, the OIG described the scenario leading to the above\nrecommendation as "after entering into the contract, OEI indicated that the vendor stated it could\nnot transfer all of the e-mail in the timeframe required by the contract. As a result, OARM\'s\nContacting Officer (CO) verbally allowed the vendor to transfer only 30 days\' worth of e-mail.\nEven though the vendor did not perform the work agreed to in the contract the CO did not issue a\ncure notice or seek to renegotiate the \'price of the contract with an equitable reduction in price."\nThe Office of Acquisition Management (OAM) does not believe these general statements\naccurately represent the circumstances that resulted in an authorized change order to the contract.\nPursuant to the changes clause of the contract (FAR 52.243-1), the contracting officer is\nauthorized to direct changes within the general scope of the contract (FAR 4 3.201). Moreover,\nin light of the fact that the contracting officer considered such changes to be within the scope of\nthe changes clause, the terms and conditions relating to potential termination (e.g., issuance of a\n\n\n14-P-0332                                                                                        32\n\x0cshow cause or cure notice) did not apply. With respect to the statement that the contracting\nofficer did not seek to renegotiate the price of the contract with an equitable reduction in price,\nsuch a statement implies that a reduction in price is the only consideration that would be\napplicable and appropriate for contract changes. In fact, equitable adjustments resulting from\ncontract changes can take various forms depending on the type of contract and the nature of such\nchanges. For example, adequate consideration for authorized changes may, and in this case did,\ninclude the contractor absorbing increased costs it was required to incur for performance of the\nchanged contract.\n\nContract EP-G12H-00522 was awarded to the vendor on September 14, 2012 in support of an\nEPA requirement to replace the current enterprise on premise e-mail, collaboration and\nBlackberry Enterprise solution, with a Software as a Service (SaaS) services and support\ncontract. In accordance with the solicitation, the successful offer included a fixed-price four (4)\nmonth transition period during which email would be migrated from the old to the new software\nusing a migration tool. As a result of subsequent EPA identified risks, modification 2 of the\ncontract extended the migration period to five (5) months and adjusted the fixed-price by\n$112,359. In mid-December 2012, the vendor notified EPA that a latent defect in the proposed\nmigration tool discovered during testing would severely protract the speed of the migration, from\nsix (6) weeks to over two (2) years. With this notification, the EPA had three choices: (1)\nterminate the contract for default, (2) require the contractor to execute the migration over two\nyears at no increase in contract price, or (3) negotiate an appropriate contract change. Contract\ntermination was not an option as this requirement was mission critical. Extending the migration\nover two years was not an option as this approach would have resulted in the EPA continuing to\nuse unsupported Lotus Notes software during the migration. Negotiation was the only viable\napproach to reaching a solution. As a result, the vendor proposed three solutions to this problem\nand the parties entered into negotiations. Each of the three proposed solutions included migration\nof all e-mail over extended timeframes (from four [4] to seven [7] months), and the vendor had\nalready purchased a new migration tool proposed under one option. After considering the\nproposed solutions, EPA and the vendor negotiated a fourth solution, which required the vendor\nto migrate only 30 days of e-mail over a weekend. The migration was accomplished, and in\nJanuary 2013 the vendor entered into discussions with the EPA on contract scope changes\neffected since award, which other than the afore-mentioned option four (4) solution included a\nnew encryption solution, additional migration schedule changes and the need for additional help\ndesk surge support, and Blackberry infrastructure changes driven by security considerations.\nAlthough the vendor indicated costs were associated with each scope change, the contractor did\nnot file a claim for equitable adjustment for any increased costs incurred. Furthermore, specific\nto the negotiated option four (4) change, the vendor offered to provide up to three (3) additional\ne-mail administrators at no additional cost from January through August 2013 as consideration to\nthe EPA for the scope change. Any of the costs associated with these changes could have been\noffset against costs incurred by EPA resulting from the change in migration scope. Negotiations\ncontinued between the parties and were ultimately settled in July 2013. In the negotiated\nsolution, the CO and contractor agreed to an equitable settlement in which the Government\nwould not be charged any increased costs incurred by the contractor for these changes. OAM\nbelieves the more detailed description of the events surrounding this procurement above\ndemonstrate that: (1) the decision to transfer only 30 days of e-mail was documented on the\nrecord prior to the formal July 2013 contract modification, (2) a cure notice was not necessary as\n\n\n\n14-P-0332                                                                                        33\n\x0cthe parties were in negotiations to resolve contract changes not governed by the terminations\nclause, and (3) the decision not to adjust the contract price was not frivolous but rather part of a\nwell-considered, negotiated agreement.\n\nIt is important to note the EPA\'s need to maintain Lotus Notes resulted from drivers other than\nagency wide e-mail, as various agency offices were still using Lotus Notes databases.\nConsequently only a portion of Lotus Notes maintenance resulted from partial e-mail migration.\nLastly, under modification four (4) to the contract the EPA negotiated consideration for the lack\nof required encryption functionality which is calculated on a monthly basis and has resulted in\ncredits of approximately $42,000 to the Agency to date.\n\nFinally, the July 2013 modification revises the Statement of Work to require the vendor to\nmigrate the "Most recent 30 days of Email", and also states "In consideration of the modification\nagreed to herein as complete equitable adjustment based on the Contractor\'s revised proposal\ndated June 18, 2013, the Contractor hereby releases the Government from any and all liability\nunder this contract for further equitable adjustments attributable to such facts or circumstances\ngiving rise to the proposal referenced above. This release shall also apply to the additional\nchanges made to the Statement of Objectives".\n\nThis language creates a complete and final equitable adjustment on the above-described contract\nchange per FAR 43.204(c). As such, the Government has no legal basis to re-open negotiations\non this subject.\n\n OIG Comment: The OIG removed this recommendation because, subsequent to the OIG\n notifying the Office of Acquisition Management that the contracting officer had never issued\n a written modification associated with the oral agreement, the Office of Acquisition\n Management issued a written modification that included this scope change.\n\n OARM\xe2\x80\x99s response to the draft report indicated that the Office of Acquisition Management\n and the contractor signed a formal (written) modification, in July 2013 (subsequent to the\n OIG informing the Office of Acquisition Management that there was no written\n modification), that included reducing the amount of email to be migrated by the vendor to\n only the most recent 30 days of email and included language waiving the EPA\xe2\x80\x99s right for\n further equitable adjustment for this modification. Additionally, the Office of Acquisition\n Management\xe2\x80\x99s response indicated that the vendor claimed that there were costs associated\n with other scope changes (including a new encryption solution, additional migration schedule\n changes and the need for additional help desk surge support, and Blackberry infrastructure\n changes driven by security considerations) for which the contractor did not file a claim for an\n equitable adjustment. Further, according to the actual modification, this modification\n changed the incremental funded amount from $3,427,891 to $3,573,891.\n\n The OIG did not perform an evaluation to determine whether this modification was equitable.\n\n\n\n\n14-P-0332                                                                                          34\n\x0cRecommendation 3: Develop training and oversight to help ensure contracting officers:\n     a. Issue cure notices when they become aware that a vendor will not meet its\n        contractual obligations.\n     b. Negotiate equitable reductions when vendors are not able to fulfill their\n        contractual obligations.\n     c. Add written amendments to contracts for all contract modifications.\n\nOARM Response: OARM agrees with these recommendations as sufficient regulatory and\npolicy guidance already exists in FAR Part 49 on Cure Notices, and in FAR Parts 43 and 49, and\nCMM Part 42 on Equitable Adjustments. To perform oversight and compliance with these\npolicies, OAM will identify contractor performance issues as a critical focus area for future\ncontracting activity under the self-assessment and peer review components of the BSC PMMP.\n\nWith regard to contract file documentation, OAM has self-identified inadequate file\ndocumentation as a recurring finding under the BSC PMMP Peer Review program, and has\ndirected a number of corrective actions, including the institution of more robust internal control\nreviews of procurement transactions. Policy that has already been updated to foster improvement\nin this area includes the attached excerpts from the OAM Acquisition Handbook \'\'Update to\nAcquisition Handbook 4.1 Reviews, Concurrences, and Checklists" (entire document at\nhttp://oarnintra.epa.gov/node/47, and updated via Interim Policy Notice (IPN) 12-03\n"Acquisition Planning" at http://oamintraepagov/node/8?q=node/158), which Contract Checklists\nof documents to be filed in the official contract file. Again, OAM will continue to use the self-\nassessment and peer review components of the BSC PMMP to monitor compliance with these\npolicies. IPN 12-03 was published on October 14, 2013, and Acquisition Handbook 4.1 was\npublished on December 19, 2013, which may be used as the corrective action completion date\nfor this recommendations.\n\nFurthermore, several initiatives resulting from OAM\'s Contract Management Assessment\nProgram (CMAP) Peer Reviews, as well as OARM\'s Centers of Expertise in contracting\ninitiative, will establish new or improved functional requirements in this area. These include\nestablishing independent business clearance reviews of pre- and post-award actions, and\nheightened accountability for obtaining and retaining delegations of contracting authority.\nAdditionally, a BSC initiative on contract management planning has been developed in FY 2014\nto identify process improvements, policies and other tools to improve both contract file\ndocumentation and administration activities. To perform oversight, again OAM will use the self-\nassessment and peer review components of the BSC PMMP to monitor and report on compliance\nwith applicable regulations, policies, and guidance. OAM oversight activities are ongoing.\n\n OIG Comment: OARM agreed to the recommendation and indicated that it has taken\n actions to address this recommendation.\n\n\n\n\n14-P-0332                                                                                      35\n\x0cRecommendation 8: Establish formal oversight processes and training to ensure that the\nrequirements for use of the USGv6 Profile and Test Program for the completeness and\nquality of their 1Pv6 capabilities are met within all applicable IT contracts or that a waiver\nis obtained from the CIO prior to issuing an applicable IT contract that does not meet the\nrequirements, as required by FAR.\n\nOARM Response: OARM agrees with this recommendation. Although supporting\ndocumentation for this procurement indicates the CIO relieved solicitation compliance\nrequirements as a result of market research indicating there were no solutions to the technical\nrequirement, and was also aware the awardee would not be in compliance until September 2013,\nthe FAR requires a waiver. Subsequent to the award of this contract, OAM issued Interim Policy\nNotice (IPN) 12-03, "Acquisition Planning" at http://oamintra.epa.gov/node/8?q=node/158,\nwhich implements a robust acquisition planning process including use of an acquisition planning\nteam to conduct planning in support of all procurements above the simplified acquisition\nthreshold. Under IPN 12-03, pre-award acquisition planning on information technology (IT)\nrequirements includes discussions to ensure these requirements are solicited and the file\ndocumented in accordance with applicable regulations, policy and guidance, and OAM uses the\nself-assessment and peer review components of the Balanced Scorecard Performance\nMeasurement and Management Program (BSC P:MMP) to monitor compliance post-award. IPN\n12-03 was published on October 14, 2013, which may be used as the completion date for this\ncorrective action.\n\nFurthermore, as the self-assessment and peer review checklists are subject to regular review and\nupdating, OAM will use this process as a mechanism to focus on compliance areas identified\nthrough internal and external reviews, including audit findings such as recommendation 8 above.\nFinally, on the instant procurement the CO obtained a waiver for the follow-on action under this\ncontract, which is in the contract file.\n\n OIG Comment: OARM agreed to the recommendation and indicated that it has taken\n actions to address the recommendation.\n\ncc: Nanci Gelb, Principal Deputy Assistant Administrator, OARM\n    Rudolph M. Brevard, Director, Information Resource Management Audits\n    John Bashista, Director, Office of Acquisition Management, OARM\n    Todd Hanson, Director, OAM Headquarters Procurement Operation Division, OARM\n    Brandon McDowell, OARM\n    Lisa M. Maass, OARM/OAM\n\n\n\n\n14-P-0332                                                                                     36\n\x0c                                                                                 Appendix C\n\n\n\n                                     Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAssistant Administrator for Administration and Resources Management\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nPrincipal Deputy Assistant Administrator for Environmental Information\nPrincipal Deputy Assistant Administrator for Administration and Resources Management\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nDirector, Office of Acquisition Management, Office of Administration and Resources Management\nDirector, Office of Policy and Resource Management, Office of Administration and\n        Resources Management\nDeputy Director, Office of Policy and Resource Management, Office of Administration and\n        Resources Management\nAudit Follow-Up Coordinator, Office of Environmental Information\nAudit Follow-Up Coordinator, Office of Administration and Resources Management\nAudit Follow-Up Coordinator, Office of Acquisition Management, Office of Administration and\n        Resources Management\n\n\n\n\n14-P-0332                                                                                   37\n\x0c'